- Article
- 8 minutes to read
Get started with the Microsoft identity platform by registering an application in the Azure portal.
The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform.
Tip
To register an application for Azure AD B2C, follow the steps in Tutorial: Register a web application in Azure AD B2C.
Prerequisites
- An Azure account that has an active subscription. Create an account for free.
- The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:
- Application administrator
- Application developer
- Cloud application administrator
- Completion of the Set up a tenant quickstart.
Register an application
Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: your app trusts the Microsoft identity platform, and not the other way around.
Follow these steps to create the app registration:
Sign in to the Azure portal.
(Video) How to authenticate users of your apps with the Microsoft identity platformIf you have access to multiple tenants, use the Directories + subscriptions filter
in the top menu to switch to the tenant in which you want to register the application.Search for and select Azure Active Directory.
Under Manage, select App registrations > New registration.
See AlsoManually register devices with Windows AutopilotUsar chaves do Registro - Internet Information ServicesRegistro combinado para SSPR e Autenticação Multifator do Azure AD ‒Azure Active Directory - Microsoft EntraCombined registration for SSPR and Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft EntraEnter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in.You can change the display name at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.
Specify who can use the application, sometimes called its sign-in audience.
Supported account types Description Accounts in this organizational directory only Select this option if you're building an application for use only by users (or guests) in your tenant. Often called a line-of-business (LOB) application, this app is a single-tenant application in the Microsoft identity platform.
Accounts in any organizational directory Select this option if you want users in any Azure Active Directory (Azure AD) tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations. This type of app is known as a multitenant application in the Microsoft identity platform.
Accounts in any organizational directory and personal Microsoft accounts Select this option to target the widest set of customers. By selecting this option, you're registering a multitenant application that can also support users who have personal Microsoft accounts.
Personal Microsoft accounts Select this option if you're building an application only for users who have personal Microsoft accounts. Personal Microsoft accounts include Skype, Xbox, Live, and Hotmail accounts. Don't enter anything for Redirect URI (optional). You'll configure a redirect URI in the next section.
Select Register to complete the initial app registration.
in the top menu to switch to the tenant in which you want to register the application.
When registration finishes, the Azure portal displays the app registration's Overview pane. You see the Application (client) ID. Also called the client ID, this value uniquely identifies your application in the Microsoft identity platform.
Important
New app registrations are hidden to users by default. When you are ready for users to see the app on their My Apps page you can enable it. To enable the app, in the Azure portal navigate to Azure Active Directory > Enterprise applications and select the app. Then on the Properties page toggle Visible to users? to Yes.
Your application's code, or more typically an authentication library used in your application, also uses the client ID. The ID is used as part of validating the security tokens it receives from the identity platform.
Add a redirect URI
A redirect URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.
In a production web application, for example, the redirect URI is often a public endpoint where your app is running, like https://contoso.com/auth-response. During development, it's common to also add the endpoint where you run your app locally, like https://127.0.0.1/auth-response or http://localhost/auth-response.
You add and modify redirect URIs for your registered applications by configuring their platform settings.
Configure platform settings
Settings for each application type, including redirect URIs, are configured in Platform configurations in the Azure portal. Some platforms, like Web and Single-page applications, require you to manually specify a redirect URI. For other platforms, like mobile and desktop, you can select from redirect URIs generated for you when you configure their other settings.
To configure application settings based on the platform or device you're targeting, follow these steps:
In the Azure portal, in App registrations, select your application.
(Video) Application Authentication in the Microsoft Identity platform | CON059Under Manage, select Authentication.
Under Platform configurations, select Add a platform.
Under Configure platforms, select the tile for your application type (platform) to configure its settings.
Platform Configuration settings Web Enter a Redirect URI for your app. This URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. Select this platform for standard web applications that run on a server.
Single-page application Enter a Redirect URI for your app. This URI is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. Select this platform if you're building a client-side web app by using JavaScript or a framework like Angular, Vue.js, React.js, or Blazor WebAssembly.
iOS / macOS Enter the app Bundle ID. Find it in Build Settings or in Xcode in Info.plist. A redirect URI is generated for you when you specify a Bundle ID.
Android Enter the app Package name. Find it in the AndroidManifest.xml file. Also generate and enter the Signature hash. A redirect URI is generated for you when you specify these settings.
Mobile and desktop applications Select one of the Suggested redirect URIs. Or specify a Custom redirect URI. For desktop applications using embedded browser, we recommend
https://login.microsoftonline.com/common/oauth2/nativeclientFor desktop applications using system browser, we recommend
http://localhostSelect this platform for mobile applications that aren't using the latest Microsoft Authentication Library (MSAL) or aren't using a broker. Also select this platform for desktop applications.
Select Configure to complete the platform configuration.
Redirect URI restrictions
There are some restrictions on the format of the redirect URIs you add to an app registration. For details about these restrictions, see Redirect URI (reply URL) restrictions and limitations.
Add credentials
Credentials are used by confidential client applications that access a web API. Examples of confidential clients are web apps, other web APIs, or service-type and daemon-type applications. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.
You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
Add a certificate
Sometimes called a public key, a certificate is the recommended credential type because they're considered more secure than client secrets. For more information about using a certificate as an authentication method in your application, see Microsoft identity platform application authentication certificate credentials.
- In the Azure portal, in App registrations, select your application.
- Select Certificates & secrets > Certificates > Upload certificate.
- Select the file you want to upload. It must be one of the following file types: .cer, .pem, .crt.
- Select Add.
Add a client secret
Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identity itself.
Client secrets are considered less secure than certificate credentials. Application developers sometimes use client secrets during local app development because of their ease of use. However, you should use certificate credentials for any of your applications that are running in production.
- In the Azure portal, in App registrations, select your application.
- Select Certificates & secrets > Client secrets > New client secret.
- Add a description for your client secret.
- Select an expiration for the secret or specify a custom lifetime.
- Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
- Microsoft recommends that you set an expiration value of less than 12 months.
- Select Add.
- Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.
For application security recommendations, see Microsoft identity platform best practices and recommendations.
Add a federated credential
Federated identity credentials are a type of credential that allows workloads, such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure access Azure AD protected resources without needing to manage secrets using workload identity federation.
To add a federated credential, follow these steps:
In the Azure portal, in App registrations, select your application.
Select Certificates & secrets > Federated credentials > Add a credential.
In the Federated credential scenario drop-down box, select one of the supported scenarios, and follow the corresponding guidance to complete the configuration.
- Customer managed keys for encrypt data in your tenant using Azure Key Vault in another tenant.
- GitHub actions deploying Azure resources to configure a GitHub workflow to get tokens for your application and deploy assets to Azure.
- Kubernetes accessing Azure resources to configure a Kubernetes service account to get tokens for your application and access Azure resources.
- Other issuer to configure an identity managed by an external OpenID Connect provider to get tokens for your application and access Azure resources.
For more information, how to get an access token with a federated credential, check out the Microsoft identity platform and the OAuth 2.0 client credentials flow article.
Next steps
Client applications typically need to access resources in a web API. You can protect your client application by using the Microsoft identity platform. You can also use the platform for authorizing scoped, permissions-based access to your web API.
Go to the next quickstart in the series to create another app registration for your web API and expose its scopes.
Configure an application to expose a web API
FAQs
What is the Microsoft Identity Platform? ›
The Microsoft identity platform helps you build applications your users and customers can sign in to using their Microsoft identities or social accounts. It authorizes access to your own APIs or Microsoft APIs like Microsoft Graph.
What is the difference between Enterprise Application and app registration? ›In some cases, people even use both terms interchangeably. But, App registration is simply the actual application object where you configure application settings. Whereas Enterprise Application is a representation of the application within a directory.
How do I add Apps to my portal? ›Sign in to the portal as a member of the default administrator role. Open Organization > Edit Settings > General. Scroll to the App Launcher section of the page and click Add App.
How do I register an App ID? ›- Open the App Store and tap the sign-in button .
- Tap Create New Apple ID. ...
- Follow the onscreen steps to provide an email address, create a strong password, and set your device region. ...
- Enter your credit card and billing information, then tap Next.
You can enable identity-based authentication on your new and existing storage accounts using one of three AD sources: AD DS, Azure AD DS, or Azure AD Kerberos (hybrid identities only). Only one AD source can be used for file access authentication on the storage account, which applies to all file shares in the account.
How do I verify my identity with Microsoft? ›- Sign in to Manage how you sign in to Microsoft.
- A Verify button will be next to any unverified aliases.
- Click Verify next to your email address, and then click Send email.
Go to Security settings and sign in with your Microsoft account. Under the Two-step verification section, choose Set up two-step verification to turn it on, or choose Turn off two-step verification to turn it off.
Why should I use Identity server? ›It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints. IdentityServer can be used to implement Single Sign-On (SSO) for multiple applications and application types.
Is Microsoft Identity good? ›Microsoft Identity manager is an excellent tool for handling data at one particular place where the data can be easily searched as well and also provides security by not giving access to the unauthorized user.
Why do we need app registration? ›App Registration.
To set the authentication and authorization of your app from different provider its need your app registration id. It's required to configure a service and get a token from the Microsoft identity platform endpoint that service can use to call Microsoft Graph under its own identity.
How do I know if I have enterprise app on my iphone? ›
Tap Settings > General > Profiles or Profiles & Device Management. Under the "Enterprise App" heading, you see a profile for the developer. Tap the name of the developer profile under the Enterprise App heading to establish trust for this developer. Then you see a prompt to confirm your choice.
Do you need to register your app business? ›You should consider registering your original work with the U.S. copyright office, because you cannot sue for copyright infringement unless your work is registered. Additionally, app copyright registration makes you eligible for statutory damages up to $150,000 and attorney's fees in such a suit.
How do I add an app? ›- Open Google Play. On your phone, use the Play Store app . ...
- Find an app you want.
- To check that the app is reliable, find out what other people say about it. ...
- When you pick an app, tap Install (for no-charge apps) or the app's price.
You can add an app in Microsoft Intune by selecting Apps > All apps > Add. The Select app type pane is displayed and allows you to select the App type. An LOB app is one that you add from an app installation file.
Why is my portal app not working? ›Make sure your browser extension settings are turned on. Try restarting your browser and signing in to the My Apps portal again. Try clearing your browser's cookies, and then restart and sign in to the My Apps portal again.
Why do I have to register an app in Azure? ›Registering an app in Azure Active Directory provides you with Application ID and Redirect URI values that ISVs can use in their client application's authentication code.
Who can create app registration in Azure? ›By default in Azure AD, all users can register applications and manage all aspects of applications they create. This can be restricted to only allow selected people that permission. Assigning one or more owners to an application.
How do Azure app registrations work? ›Application registrations in the Azure portal. Creating a new application using Visual Studio and configuring it to use Azure AD authentication. When an admin adds an application from the app gallery (which will also create a service principal) Using the Microsoft Graph API or PowerShell to create a new application.
Is app registration free in Azure? ›2.No,it's free. And only microsoft 365 subscription needs to be charged. 3. Yes,all Microsoft 365 subscriptions offer this option.